I've been researching and testing different approaches when it comes to securing code secrets, and am unsure what the best options are, and if they even have any relevance once a host gets compromised.
Some standard approaches I've read about storing variables are:
- Compiled code
- Environment variables on machine or through Docker
- Files
- Encrypted/decrypted through keys to a vault API/DB
If a host gets compromised (admin access), secrets can be exposed via:
- Decompiling code
- Viewing env variables / files
- Memory dumps
- Viewing SSL traffic using private keys on host
- Decompiling and modifying code to expose possible encryption/decryption keys and output secrets once fetched from a vault
Are there methods that will protect secrets once a host is compromised, or is it just making the ability to fetch secrets more complex, so an intruder will find it more difficult to reach them?
If a host is secured and firewalled and admin access is tightly controlled, is there really any benefit to the added complexity of storing secrets elsewhere rather than on the host itself?